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Abstract. We propose a new hybrid I/O automaton model that is ca- 
pable of describing both continuous and discrete behavior. The model, 
which extends the timed I/O automaton model of [12, 7] and the phase 
transition system models of [15, 2], allows communication among compo- 
nents using both shared variables and shared actions. The main contri- 
butions of this paper are: (1) the definition of hybrid I/O automata and 
of an implementation relation based on hybrid traces, (2) the definition 
of a simulation between hybrid I/O automata and a proof that existence 
of a simulation implies the implementation relation, (3) a definition of 
composition of hybrid I/O automata and a proof that it respects the im- 
plementation relation, and (4) a definition of receptiveness for hybrid I/O 
automata and a proof that, assuming certain compatibility conditions, 
receptiveness is preserved by composition. 



1 Introduction 

In recent years, there has been a fast growing interest in hybrid systems [8, 18] — 
systems that contain both discrete and continuous components, typically com- 
puters interacting with the physical world. Because of the rapid development of 
processor and circuit technology, hybrid systems are becoming common in many 
application domains, including avionics, process control, robotics and consumer 
electronics. Motivated by a desire to formally specify and verify real-life applica- 
tions, we are generalizing existing methods from computer science to the setting 
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of hybrid systems. We are applying our results in a number of projects in the 
areas of personal rapid transit [14, 10, 20], intelligent vehicle highway systems, 
and consumer electronics [5]. 

Within the theory of reactive systems, which has been developed in computer 
science during the last 20 years, it is common to represent both a system and its 
properties as abstract machines (see, for instance [11, 4, 9]). A system is then 
defined to be correct iff the abstract machine for the system implements the 
abstract machine for the specification in the sense that the set of behaviors of the 
first is included in that of the second. A major reason why this approach has been 
successful is that it supports stepwise refinement: systems can be specified in a 
uniform way at many levels of abstraction, from a description of their highest- 
level properties to a description of their implementation in terms of circuitry, 
and the various specifications can be related formally using the implementation 
relation. In this paper we generalize this and related ideas from the theory of 
reactive systems to the setting of hybrid systems. More specifically, we propose 
answers to the following four questions: 

1. What system model do we use? 

2. What implementation relation do we use? 

3. How do we compose systems? 

4. What does it mean for a system to be receptive? 

The system model. Our new hybrid I/O automaton (HIOA) model is based on 
infinite state machines. The model allows both discrete state jumps, described 
by a set of labelled transitions, and continuous state changes, described by a set 
of trajectories. To describe the external interface of a system, the state variables 
are partioned into input, output and internal variables, and the transition labels 
(or actions) are partitioned into input, output and internal actions. Our model 
is very general and contains no finiteness restrictions. More structure will have 
to be added in order to deal with applications, but the general model that we 
propose allows us to answer questions 2-4. HIOA's are inspired by the timed 
I/O automata of [12, 7] and the phase transition system models of [15, 2]. The 
main difference between HIOA's and timed I/O automata is that, as in phase 
transition systems, trajectories are primitive in our model and not a derived 
notion. In the work on phase transition systems the main emphasis thus far 
has been on temporal logics and model checking. Questions 2-4 have not been 
addressed and perhaps for this reason the external interface is not an integral 
part of a phase transition system. 

The implementation relation. The implementation relation that we propose is 
simply inclusion of the sets of hybrid traces. A hybrid trace records occurrences 
of input and output actions, and the evolution of input and output variables 
during an execution of a system. Thus HIOA B implements HIOA A if every 
behavior of B is allowed by A. In this case, B is typically more deterministic than 
A, both at the discrete and the continuous level. For instance, A might produce 
an output at an arbitrary time before noon, whereas B produces an output 



sometime between 10 and 11AM. Or A might allow any smooth trajectory for 
output variable y with 2/6 [0, 2], whereas B only allows trajectories with 2/= 1. 

Within computer science, simulation relations provide a major technical tool 
to prove inclusion of behaviors between systems (see [13] for an overview). In 
this paper we propose a definition of a simulation between HIOA's and show 
that existence of a simulation implies the implementation relation. 

Composition. Within computer science various notions of composition have been 
proposed for models based on transition systems. One popular approach is to 
use the product construction from classical automata theory and to synchronize 
on common transition labels ("actions") [11]. In other approaches there are no 
transition labels to synchronize on, and communication between system compo- 
nents is achieved via shared variables [16, 9]. Shared action and shared variable 
communication are equally expressive, and the relationships between the two 
mechanisms are well understood: it depends on the application which of the two 
is more convenient to use. In control theory studies of dynamic feedback, commu- 
nication between components is typically achieved via a connection map, which 
specifies how outputs and inputs of components are wired [19]. This communica- 
tion mechanism can be expressed naturally using shared variables. Since we find 
it convenient to use communication via shared actions in the applications that 
we work on, our model supports both shared action and shared variable com- 
munication. Whereas shared actions always correspond to discrete transitions, 
shared variables can be used equally well for communication of continuously 
varying signals and for signals that can only change value upon occurrence of a 
discrete transition. 

We prove that our composition operator respects the implementation rela- 
tion: if A\ implements A^ then A\ composed with B implements A^ composed 
with B. Such a result is essential for compositional design and verification of 
systems. 

Receptiveness. The class of HIOA's is very general and allows for systems with 
bizarre timing behavior. We can describe systems in which time cannot advance 
at all or in which time advances in successively smaller increments but never 
beyond a certain bound, so called Zeno behavior. We do not want to accept 
such systems as valid implementations of any specification since, clearly, they 
will have no physical realization. Therefore we only accept receptive HIOA's as 
implementations, i.e., HIOA's in which time can advance to infinity indepen- 
dently of the input provided by the environment. Inspired by earlier work of 
[6, 1, 7] on (timed) discrete event systems, we define receptivity in terms of a 
game between system and environment in which the goal of the system is to 
construct an infinite, nonZeno execution, and the goal of the environment is to 
prevent this. It is interesting to compare our games with the games of Nerode 
and Yakhnis [17]. Since the purpose of the latter games is the extraction of 
digital control to meet performance specifications, the environment player may 
choose all disturbances. Irrespective of the disturbances the system should real- 
ize a given performance specification. The purpose of our games is to show that 



regardless of the input provided by its environment, a HIOA can exhibit proper 
behavior. Therefore, in our games the system resolves all nondeterminism due 
to internal disturbances (which express implementation freedom), even though 
the environment may choose all the input signals. 

The main technical result that we prove about receptivity is that, assuming 
certain compatibility conditions, receptiveness is preserved by composition. 



2 Hybrid I/O Automata and Their Behavior 

In this section we introduce HIOA's and define an implementation relation be- 
tween these automata. Since the notion of a trajectory plays an important role in 
the model, we start out with the definition of trajectories and some operations 
on them. 



2.1 Trajectories 

Throughout this paper, we fix a time axis T, which is a subgroup of (R,+), 
the real numbers with addition. Usually, T = R or Z, but also the degenerated 
time axis T = {0} is allowed. An interval 7 is a convex subset of T. We denote 
intervals as usual: [ti,^] = {t £ T \ t\ < t < t'^}, etc. For 7 an interval and 
t £ T, we define I + t = {f +t \t' £ I}. 

We assume a universal set V of variables. Variables in V are typed, where the 
type of a variable, such as reals, integers, etc., indicates the domain over which 
the variable ranges. Let Z C V. A valuation of Z is a mapping that associates 
to each variable of Z a value in its domain. We write Z for the set of valuations 
of Z . Often, valuations will be referred to as states. 

A trajectory over Z is a mapping w : I —> Z, where 7 is a left-closed interval 
of T with left endpoint equal to 0. With dom(w) we denote the domain of w 
and with trajs(Z) the collection of all trajectories over Z . If w is a trajectory 
then w.ltime, the limit time of w, is the supremum of dom(w). Similarly, define 
w.fstate, the first state of w, to be w(0), and if dom(w) is right-closed, define 
w.lstate, the last state of w, to be w(w.ltime). A trajectory with domain [0, 0] is 
called a point trajectory. If s is a state then define p(s) to be the point trajectory 
that maps to s. 

For w a trajectory and t £ T-°, we define w < t = w \ [0,t] and w < t = 
w \ [0, t). (Here [ denotes the restriction of a function to a subset of its domain.) 
Note that w < is not a trajectory. By convention, w<\ca = w<l(X) = w. 
Similarly we define, for w a trajectory and 7 a left-closed interval with minimal 
element /, the restriction w j 7 to be the function with domain (7 fl dom(w)) -oV 
given by w j 7 (t) = w(t + /). Note that w | 7 is a trajectory iff / £ dom(w). 

If w is a trajectory over Z and Z' C Z , then the projection w J, Z' is the 
trajectory over Z' with domain dom(w) defined by w J. Z' (t)(z) = w(t)(z). The 
projection operation is extended to sets of trajectories by pointwise extension. 



Also, if w is a trajectory over Z and z £ Z , then the projection w j. z is the 
function from dom(w) to the domain of z defined by w j. z (t) = u>(t)(z). 

If w is a trajectory with a right-closed domain I = [0, u], w' is a trajectory 
with domain /', and if w.lstate = w' .f state, then we define the concatenation 
w "~* w' to be the trajectory with domain I U (/' + w) given by 

[ u/(t -O-w) otherwise. 

We extend the concatenation operator to a countable sequence of trajectories: if 
W{ is a trajectory with domain /;, 1 < i < oo, where all E are right-closed, and if 
Wi.lstate = Wi+i.fstate for all i, then we define the infinite concatenation, written 
wi^ W2^ ws . . ., to be the least function w such that w(t+'^2- <i Wj.ltime) = Wi(t) 
for all t £ I{. 

A trajectory u> is closed if its domain is a (finite) closed interval and full if 
its domain equals T-° . For W a set of trajectories, Closed(W) and _Fm//(FF) 
denote the subsets of closed and full trajectories in W , respectively. Trajectory 
w is a prefix of trajectory w' , notation w < w' , if either w = w' or w' = 
w ^ w", for some trajectory w" . With Pref(W) we denote the prefix-closure of 
W: Pref{W) = {w \ 3w' £ W : w < w'}. Set W is prefix closed itW = Pref(W). 
A trajectory in W is maximal if it is not a prefix of any other trajectory in W . 
We write Max(W) for the subset of maximal trajectories in W . 

2.2 Hybrid I/O Automata 

A hybrid I/O automaton (HIOA) A = (U, X, Y, S in , S int , S out , 0,V, W) con- 
sists of the following components: 

— Three disjoint sets U , X and Y of variables, called input, internal and output 
variables, respectively. 

Variables in E = U U Y are called external, and variables in L = X U Y are 
called locally controlled . We write V = (JUL. 

— Three disjoint sets S m , S mt , £ out of input, internal and output actions, 
respectively. 

We assume that S m contains a special element e, the environment action, 
which represents the occurrence of a discrete transition outside the system 
that is unobservable, except (possibly) through its effect on the input vari- 
ables. Actions in S ext = S m U £ out are called external, and actions in 
s ioc A S int y S out are called locally contro u e( i. We write £ = S in U S ,oc . 

— A nonempty set C V of initial states satisfying 

Init (start states closed under change of input variables) 
Vs,s'eV:sGl9As[i = s'[L => s' £ 

— A set PCVx£xVof discrete transitions satisfying 
Dl (input action enabling) 

Vs £ V, a £ S in 3s' £ V : s <^ s' 
D2 (environment action only affect inputs) 
Vs,s' £V :s^s' => s\L = s'\L 



D3 (input variable change enabling) 

Vs,s',s"eV,a6i;:s^s'As'[i = s"[i => s<&+s" 
Here we used s-$$-> s' as shorthand for (s, a, s') £ V . 
— A set W of trajectories over 1/ satisfying 
Tl (existence of point trajectories) 

Vs £ V : p(s) £ W 
T2 (closure under subintervals) 

Vu> £ W, / left-closed, non-empty subinterval of dom(w): w f 7 £ W 
T3 (completeness) 

(V< £ T^° : iu | [0, t] £ W) => w £ W 

Axiom Init says that a system has no control over the initial values of its input 
variables: if one valuation is allowed then any other valuation is allowed also. 

Axiom Dl is a slight generalization of the input enabling condition of the 
(classical) I/O automaton model: it says that in each state each input action is 
enabled, including the environment action e. The second axiom D2 says that e 
cannot change locally controlled variables. Axiom D3 expresses that, since input 
variables are not under control of the system, these variables may be changed 
in an arbitrary way after any discrete action. The three axioms together imply 
the converse of D2, i.e., if two states only differ in their input variables then 
there exists an e transition between them. Axioms Dl-3 play a crucial role in 
our study of parallel composition. In particular D2 and D3 are used to avoid 
cyclic constraints during the interaction of two systems. 

Axioms Tl-3 state some natural conditions on the set of trajectories that we 
need to set up our theory: existence of point trajectories, closure under subin- 
tervals, and the fact that a full trajectory is in W iff all its prefixes are in W. 

Notation Let A be a HIOA as described above. If s £ V and / £ L, then we 
write s <S=P-> / iff there exists an s' £ V such that s^l-> s' and s'\L = /. In the 
sequel, the components of a HIOA A will be denoted by Va, V a, £>a, &a, etc. 
Sometimes, the components of a HIOA A{ will also be denoted by V%, Ui, Si, 
€>i, etc. 

2.3 Hybrid Executions 

A hybrid execution fragment of A is a finite or infinite alternating sequence 
a = woaiWia2W2 ■ ■ •, where: 

1. Each W{ is a trajectory in Wa and each a; is an action in Sa- 

2. If a is a finite sequence then it ends with a trajectory. 

3. If W{ is not the last trajectory in a then its domain is a right-closed interval 
and Wi.lstate^4^A Wi + \.f state. 

An execution fragment records all the discrete changes that occur in the evolution 
of a system, plus the "continuous" state changes that take place in between. The 
third item says that the discrete actions in a span between successive trajectories. 
We write h- frag (A) for the set of all hybrid execution fragments of A. 



If a = w§a\W\a,2W2 • • • is a hybrid execution fragment then we define the 
limit ttme of a, notation a.lttme, to be ^ s - Wi.ltime. Further, we define the first 
state of a, a. f state, to be wq. f state. 

We distinguish several sorts of hybrid execution fragments. A hybrid execu- 
tion fragment a is defined to be 

— an execution if the first state of a is an initial state, 

— finite if a is a finite sequence and the domain of its final trajectory is a 
right-closed interval, 

— admissible if a. Itime = oo, 

— Zeno if a is neither finite nor admissible, and 

— a sentence if a is a finite execution that ends with a point trajectory. 

If a = wqcliWi ■ ■ ■ a n w n is a finite hybrid execution fragment then we define the 
last state of a, notation a.lstate, to be w n .lstate. A state of A is defined to be 
reachable if it is the last state of some finite hybrid execution of A. 

A finite hybrid execution fragment a = woaiWia2W2 ■ ■ -a n w n and a hybrid 
execution fragment a' = w'qO^w'^^w^ ■ ■ ■ of A can be concatenated if w n "~* w' 
is defined and a trajectory of A. In this case, the concatenation a "~* a' is the 
hybrid execution fragment defined by 

a ^ a' = woaiWia2W2 ■ ■ ■ a n (w n "~* w'^a'-^w'^a^w^ ■ ■ ■ 



2.4 Hybrid Traces 

Suppose a = woaiWia2W2 • • • is a hybrid execution fragment of A. In order to 
define the hybrid trace of a, let 

7 = (w I E A )vis(a 1 )(w 1 I E A )vis(a 2 )(w2 | E A ) 

where, for a an action, vis (a) is defined equal to r if a is an internal action or e, 
and equal to a otherwise. Here r is a special symbol which, as in the theory of 
process algebra, plays the role of the 'generic' invisible action. An occurrence of r 
in 7 is called inert if the final state of the trajectory that precedes the r equals the 
first state of the trajectory that follows it (after hiding of the internal variables). 
The hybrid trace of a, written htrace(a), is defined to be the sequence obtained 
from 7 by removing all inert r's and concatenating the surrounding trajectories. 

The hybrid traces of A are the hybrid traces that arise from all the finite and 
admissible hybrid executions of A. We write h-traces(A) for the set of hybrid 
traces of A. 

HIOA's Ai and A2 are comparable if they have the same external interface, 
i.e., U 1 =U 2 ,Y 1 =Y 2 , S[ n = S 2 " an d £{ ut = £% ui '■ If A 1 and A 2 are comparable 
then A\ < A2 is defined to mean that the hybrid traces of A\ are included in 
those of A2: A\ < A2 = h-traces(Ai) C h-traces(A2). 



3 Simulation Relations 

Let A and B be comparable HIOA's. A simulation from A to B is a relation 
R C V^4 x \ b satisfying the following conditions, for all states r and s of A and 
B, respectively: 

1. If r G 6*^4 then there exists s G @s such that r R s. 

2. If r<^h+A r' and r R s then 5 has a finite execution fragment a with s = 
a. f state, htrace(p(r) a p{r')) = htrace(a) and r' Ra.lstate. 

3. If r i? s and to is a closed trajectory of A with r = w.f state then 5 has a 
finite execution fragment a with s = a. f state, htrace(w) = htrace(a) and 
w.lstate R a.lstate. 

Note that by Condition 3 and the existence of point trajectories (axiom Tl), 
r R s implies that r \Ea = s \Eb ■ 

Theorem 1. If A and B are comparable HIOA's and there is a simulation from 
A to B, then A< B. 



4 Parallel Composition and Hiding 

We say that HIOA's A\ and A 2 are compatible if, for i ^ j, 

Xi n Vj =YiC\ Yj = ui nt n Uj = z° ut n z° ut = 0. 

If Ai and A 2 are compatible then their composition A\*\A 2 is defined to be the 
tuple A = (U,X,Y,U in ,S int ,S out ,0,V,W] [given by 

- U = (U 1 U U 2 ) o(Yi U Y 2 ), X = X 1 U X 2 , Y = Y 1 U Y 2 

- I™ = (U[ n u Y?, n ) o(i7f * U U 2 ut ), Z int = S[ nt U Ui 2 nt , S out = Sl ut U U? 2 ut 

- = {s G V | s\V! G &i A s[Y 2 G <9 2 } 

- Define, for i G {1, 2}, projection function TTi : E ^ Si by 7r 8 (a) = a if a G Y 8 ' 
and 7Tj(a) = e otherwise. Then V is the subset of V x S x V given by 

( 8 ,a,s')6D» S [7 1 ^ls'[Vi A s\V 2 w S?ls'\V 2 

- W is the set of trajectories over Y given by 

wGWOw|YiGlYiAw|Y 2 GlY 2 

Proposition2. Ai||A 2 is a HIOA. 

Theorem 3. Suppose A\,A 2 and B are HIOA's with A\ < A 2 , and each of A\ 
and A 2 is compatible with B. Then Ai\\B < A 2 \\B. 

Two natural hiding operations can be defined on any HIOA A: 

(1) If S C S ^, then ActHide(S, A) is the HIOA B that is equal to A except 
that S° B ut = S°f OS and Yjf = Y^ n * U S. 

(2) If Z C Yi, then VarHide(Z, A) is the HIOA 5 that is the equal to A except 
that Y B = Y A OZ and X B = X A U Z. 



Theorem 4. Suppose A and B are HIOA's with A < B, and let S C Y,°// % and 

ZCY A . 

Then ActHide(S, A) < ActHide(S, B) and VarHide(Z, A) < VarHide(Z, B). 

5 Receptiveness 

We call a HIOA feasible if any finite execution can be extended to an admissible 
execution. The main significance of feasibility is to guarantee that a HIOA is 
meaningful in the sense that it cannot block time. Unfortunately feasibility is 
not preserved by parallel composition, and thus we need to impose additional 
restrictions on a HIOA so that the feasibility property is guaranteed to be pre- 
served by parallel composition. Our ideal objective would be to find the weakest 
restrictions that need to be imposed; here we just propose some restrictions, 
although we have not proved that they are the weakest. Below we define a no- 
tion of receptiveness and prove that it is preserved by composition under some 
reasonable assumptions. 

5.1 I/O Behaviors 

The concept of an I/O behavior plays an important role in the definition of 
receptiveness. Intuitively, an I/O behavior is a set of trajectories that arise from 
an HIOA after choosing initial values for the local variables and resolving all 
internal nondeterminism. 

We assume, for each variable v £ V, a dynamic type T v , which is a nonempty 
collection of functions from T to the domain of v. We require the sets T v to be 
time- invariant: for each / £ T v and each t £ T, also /* £ T v , where /* is the 
function from T to the domain of v given by /*(t') = f(t' + t). Intuitively, the 
dynamic type T v gives the collection of allowed trajectories for v. For instance, 
if T = R and v has domain R, then T v will be the set of all continuous or smooth 
functions, or the set of all measurable locally essentially bounded functions [19]. 
If v is a "discrete" variable (in the sense of [15]), then T v is the set of all the 
constant functions. If Z C V then we write !F-trajs(Z) for the set of trajectories 
w over Z with the property that for all z £ Z, w J, z £ T z \dom(w). 

An I/O behavior is a triple P = (U, Y, B), where 

— U is a set of typed input variables; 

— Y is a set of typed output variables with U C\ Y = 0; we write V = U UY; 
-BC T '-trajs( V) is a prefix closed set of trajectories satisfying 

Bl (functional dependence of outputs from inputs) 

For all w,w'<EB and for all t £ dom(w) fl dom(w'), 
(w < t) I U = (w' < t) I U => w(t) \Y = w'(t) \Y 
B2 (freedom of inputs) 

Vw £ Full(T-trajs(U)) 3w' £ Max(B) : w' | U < w 
B3 (nonZenoness) 

Max(B) C Closed(B) U Full(B) 



Axiom Bl says that the output at time t is fully determined by the inputs at 
times up to, but not including, t. Roughly speaking, axiom B2 expresses that the 
input is a signal that is imposed by the environment and over which the system 
has no control. However, in a hybrid world a continuous phase of a system can 
be interrupted at any time by the occurrence of a discrete transition. A system 
may, for instance, perform a locally controlled discrete action as soon as the 
input reaches a threshold value. Therefore, axiom B2 only requires that for each 
full input signal there exists a maximal trajectory that, when projected on its 
input, forms a prefix of this input signal. Axiom B3 states that each maximal 
trajectory is either closed or full. Together, B2 and B3 imply that in an I/O 
behavior each input signal is accepted up to and including some finite time t or 
up to oo. Note that for any I/O behavior P there is an output state s£Y such 
that all trajectories w in B begin with s, i.e., w(0)\Y = s. 

Our I/O behaviors can be viewed as a special case of the I/O behaviors of 
Sontag [19]. Sontag defines I/O behaviors in terms of a response map from input 
signals up to time t to the output at time t, but this presentation is equivalent to 
our definition in terms of trajectories over both inputs and outputs. Technically, 
we found it a bit easier to use trajectories in this paper. In [19], no assumptions 
are made about possible input signals and the length of maximal trajectories 
(our axioms B2 and B3). However, [19] singles out the so-called V-complete 
I/O behaviors, which are I/O behaviors that accept any input of type V. 

In the sequel, the components of an I/O behavior P will be denoted by 
Vp, Up, Yp and Bp. Also, if no confusion can arise, the components of an I/O 
behavior Pi will be denoted by V%, Ui, Y{ and Bi, etc. 

Two I/O behaviors P\ and P 2 are compatible if Y\ fl Y 2 = 0. In this case, we 
define the composition P\\\P 2 to be the structure P = (U,Y,B) where 

- U = (U 1 UU 2 )o(Y 1 UY 2 ), 

- Y = Y 1 UY 2 , and 

- B C T-trajs( U U Y) is given by w £ B O w J. V x £ B x A w J. V 2 £ B 2 . 

In general, the composition of two compatible I/O behaviors need not be an I/O 
behavior since there may be "too many solutions" : 

Example 1. Suppose T = R. For u, y variables whose dynamic type is the set of 
functions from R to R that have left-hand limits, define Copy(«, y) to be the I/O 
behavior that, for t > 0, copies input u to output y, and with the initial value 
of y set to 0. Then the composition of Copy(«, y) and Copy(j/, u) has no input 
variables and therefore just one full input trajectory is allowed. However, there 
is more than one output trajectory and thus the composition does not satisfy 
axiom Bl. 

It may also occur that the composition of two compatible I/O behaviors 
yields an I/O behavior, even though there exists no "solution" in the sense that 
maximal trajectories can be merged. This motivates the following definition. 

Two compatible I/O behaviors P\ and P 2 are strongly compatible if P = 
-P1H-P2 is an I/O behavior and, for each trajectory w of P , 

w £ Max(Bp) O (w I Vi £ Max(Bi) V w [ V 2 £ Max(B 2 j). 



Example 2. Suppose T = R. For u,y variables whose dynamic type is the set 
of functions from R to R that have left-hand limits, define Addl(«, y) to be the 
I/O behavior whose output y is, for t > 0, equal to the input u incremented by 
1, and with the initial value of y set to 0. Then the I/O behaviors Addl(«, y) 
and Addl(j/, u) are compatible but not strongly compatible, even though their 
composition is an I/O behavior. 

Let A be a HIOA and let / £ L^ be a valuation of the local variables of A. 
A nonempty set W of trajectories of A is called an l-process (or process) of A if 
(Ua, La, W) is an I/O behavior and, for all w £ W, w(0)\La = I, i.e., the initial 
states of all trajectories in W agree with /. 

Two compatible HIOA's A\ and A^ are strongly compatible if for each reach- 
able state s of Ai\\A2, for each (s[~_Li)-process W\ of A\, and for each (s\L2)- 
process W2 of A2, the I/O behaviors (U\, L\,W\) and (£^2, £2, W2) are strongly 
compatible. 

5.2 Games and Strategies 

Intuitively, a system is receptive if time can advance to infinity independently of 
the input provided by its environment, or equivalently, if it does not constrain 
its environment. In [6, 1, 7] various notions of receptivity have been defined in 
terms of games. Below, we extend these ideas to the setting of HIOA's. The 
interaction between a system and its environment is represented as a two person 
game in which the goal of the system is to construct an admissible execution, 
and the goal of the environment is to prevent this. The system is receptive if it 
has a strategy by which it can always win the game, irrespective of the behavior 
of the environment. 

Formally, a strategy p for A is a function that specifies, for each sentence a 
of A with / = a.lstate\LA, 

1. an /-process W a of A, 

2. a function g a : Closed(W a ) x E™ — ► L^ satisfying 

g a (w, a) = / =>• w Astate ■$£* a I- 

3. a function f a : Closed(Max(W a )) -+ (U'^ c x L A ) satisfying 

f a (w) = (a, /) =>• w.lstate <^a h 

At the beginning and immediately after each discrete transition, a strategy pro- 
duces a process W that starts in the current local state. By doing this, a strategy 
resolves all nondeterminism for the next continuous phase. Typically, choosing 
a process amounts to fixing the trajectories for certain internal variables that 
represent disturbances, and deciding at which time the next locally controlled 
action will be performed. Once a process has been selected, the input signal fully 
determines the next trajectory in the execution of the system. Since at any point 
the environment may produce a discrete input action, a strategy also specifies, 
through the function g, what will be the next local state after such an action. 



The values of the input variables after a discrete step are determined by the 
environment. Through the function /, a strategy specifies, for each maximal and 
closed trajectory of the selected process, which locally controlled step will be 
performed at the end of this trajectory. 

In the game between the environment and the system the behavior of the 
environment is represented by an environment sequence. This is an infinite al- 
ternating sequence 

X = wi a± &i w 2 a 2 b 2 

of closed or full trajectories w, £ T-tra]s(UA), actions a; 6 S™ ; an d booleans 
h £ {T, F} 

In the i-th move of the game, the environment produces input signal W{. If 
W{ is finite then the environment produces discrete action a; right after signal 
Wi. The boolean 6; serves to break ties in case the environment and the system 
both want to perform a discrete action at the same time: if 6; = T then the 
environment is allowed to make a move and otherwise the system may perform 
an action. As in [7], our game starts after a finite execution a. The outcome of 
the game is described formally in the following definition. 

Let A be a HIOA, p a strategy for A, X an environment sequence for A (with 
p and X as defined above), and let a be a finite hybrid execution of A. We define 
the outcome O Pt i(a) as the limit of the sequence (a;);>o of hybrid executions 
that is constructed inductively below. Each a; is either a sentence or admissible. 

Let / = a.lstate\LA- Then ao = a e p(u>i(0) U /). 

Here we extend a in a trivial way to a sentence in order to get into a situation 
where strategy p can be applied in combination with environment sequence X. 
In the definition, U is the operation that takes the union of two functions, each 
viewed as a set of pairs. The first argument of U yields the values for the input 
variables and the second argument the values for the locally controlled variables. 

For i > 0, define a; in terms of a;_i as follows. 

If ai_i is admissible then a; = a;_i. 

Otherwise, a;_i is a sentence. Pick any full trajectory wf £ T-trajs(UA) 
with Wi < wf . Then by axiom B2 there is a maximal execution w[ £ W a with 
w i i Ua < wj . By axiom Bl, w[ is uniquely determined by the choice of wj . 
Let t = Wi.ltimc and t' = w^.ltimc. We distinguish between three cases: 

1. If t = t' = co then 

CYi = Cti-l ~ w\. 

This is the case where both the system and the environment have decided 
not to perform any discrete action. 

2. If t < t' or t = t' < oo A hi = T, then 

ai = CYi-! ~ ((w'i < t) ai p(w i+1 (0) U g a '(w' i < t, a;))). 

This is the case where, after an initial fragment of w\, the environment 
produces an input action a;. The resulting state after this action is obtained 



by taking the union of the first state of the next input trajectory and the 
local state that is specified by the (/-part of the strategy. 
3. If t' < t or t = t' < oo A hi = F and if we let /"'«) = «-, /;), then 

a t = a 8 _i ~ (wl a'i p(w i+1 (0) U /;)). 

This is the case where, after w\ has been completed, the system performs a 
locally controlled step as specified by the /-part of the strategy. 

Note that the definition of on does not depend on the choice of wf since by 
axiom Bl the prefix w\ < t of w\ that is used in the construction is determined 
uniquely by the fixed prefix W{ of wj . 

Proposition 5. Pt j(a) is a Zeno or admissible hybrid execution of A. 

A hybrid execution a of a HIOA A is Zeno-tolerant iff it is Zeno, contains 
infinitely many input actions and only finitely many locally controlled actions. 
A strategy p for A is Zeno-tolerant if for each environment sequence X and for 
each finite execution a, Pt j(a) is either admissible or Zeno-tolerant. We call A 
receptive iff there exists a Zeno-tolerant strategy for A. Note that each receptive 
HIOA is trivially feasible. 

We now come to the main result of this paper. 

Theorem 6. Suppose A\ and A^ are strongly compatible, receptive HIOA's. 
Then Ai\\A2 is receptive. 

The corresponding result for the hiding operations is much easier to prove: 

Theorem 7. Suppose A is a receptive HIOA, and let S C Y,°^ % and Z C Ya- 
Then ActHide(5', A) and VarHide(Z, A) are receptive. 



5.3 Strong Compatibility vs. Compatibility 

In order to apply Theorem 6, one has to establish that the HIOA's A\ and 
A2 are strongly compatible. From control theory it is well-known that this is 
a difficult problem in general. However, it is possible to identify certain classes 
of I/O behaviors for which strong compatibility reduces to compatibility. This 
means that for all processes of A\ and A^ in such a class, the condition of strong 
compatibility in Theorem 6, which in general is hard to check, reduces to the 
syntactic condition of compatibility. 

A first example can be obtained by considering what we call autistic I/O 
behaviors. These are I/O behaviors that accept any input but produce an output 
that is totally unrelated to this input. Formally, an I/O behavior is called autistic 
if it satisfies the axiom 

B4 Vu>, w' G B : dom(w) = dom(w') =>• w [Y = w' [Y 



It is easy to verify that two autistic processes are strongly compatible iff they 
are compatible. From the perspective of classical control theory autistic processes 
are definitely of no interest: why have an input if it is not used at all? In a hybrid 
setting, however, an automaton that does not process its input in a continuous 
manner can still monitor this input and perform a discrete transition when some 
threshold is reached. In linear hybrid automata [3, 2], for instance, there is no 
continuous processing of inputs and all underlying processes are autistic. 

Less trivial examples of classes of I/O behaviors for which strong compati- 
bility reduces to compatibility can be found in the literature on control theory 
[19]. In control theory it is common to express the continuous behavior of a 
system by means of differential equations; thus, to be sure that a system is well 
described, the differential equations need to admit a unique solution for each 
possible starting condition of the system. A typical approach is to describe a 
system through differential equations of the form 

j? — j x — J\ x i u ) 



y = g{x) 

where u,y, and x are the input, output, and internal vectors of variables, re- 
spectively. It is known from calculus that if / is globally Lipschitz and u is C 1 , 
then for each fixed starting condition x(0) = xo there is a unique solution to the 
equations of £, defined on a maximal neighborhood of 0, such that x(0) = xq. 
Suppose that the dynamic type of each input variable is the set of all C 1 func- 
tions. Consider the set W of all the solutions to £ for each possible choice of xo 
and of u(t), and let (U, X U Y, W') be any I/O behavior whose trajectories are 
prefixes of trajectories in W . We say that (U, X U Y, W') is an I/O behavior of 
E. 

Consider now two systems, described by equations E\ and £2 with the same 
form as £, and suppose there are no common locally controlled variables in E\ 
and E'2- The interaction between E\ and £2 can be described by a new set of 
equations £3 obtained by considering together the equations of E\ and £2. If 
also the g functions of E\ and £2 are globally Lipschitz, then it is easy to show 
that £3 can be represented in the same form as £ where / and g are globally 
Lipschitz. Furthermore, let Pi and £2 be any two I/O behaviors of E\ and £2, 
respectively. Then it is the case that P\ and £2 are strongly compatible and that 
£3 is an I/O behavior of £3. 

Therefore, if we choose the dynamic type of each variable to be the set of all C 1 
functions, then strong compatibility reduces to compatibility for I/O behaviors 
of systems of equations £, where / and g are globally Lipschitz. In general, 
any choice of conditions on / and u that guarantee local existence of unique 
solutions and that are preserved by interaction between systems can be used as 
a basis to define a class of processes for which strong compatibility reduces to 
compatibility. 
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